DNS attack principle and Prevention

With the gradual popularization of networks, network security has become the focus of the INTERNET. It is related to the further development and popularization of the INTERNET, and even to the survival of the INTERNET. Fortunately, our INTERNET experts did not disappoint INTERNET users, and network security technologies continued to emerge, giving INTERNET users and enterprises more peace of mind, the following describes the main technologies in network security, hoping to provide a network security solution reference for Internet users and enterprises.

How DNS works

DNS is divided into Client and Server. The Client plays the role of question, that is, to ask the Server a Domain Name, and the Server must answer the real IP address of this Domain Name. The local DNS first queries its own database. If your database does not exist, you will ask the DNS set up on the DNS. After you get the answer, you will save the answer and answer the customer.

The DNS server records the name information of the domain based on the authorization Zone. This information includes the subdomain name and host name under the domain.

Each name server has a Cache ), the main purpose of this cache area is to record the name and IP address of the name server in the cache area, in this way, when another client goes to the server to query the same name, the server does not need to look for other hosts, you can directly find the name record from the cache and send it back to the client to speed up the client's query of the name. For example:

When the DNS Client queries a host name on the Internet from a specified DNS server, the DNS server searches for the name specified by the user in the database, the server will first query whether there is a record in its own cache. If this record is found, the server will directly return the corresponding IP address to the client from the DNS server, if the name server cannot find the data record and the cache is not, the server will first query the name of the server with another name. For example:

The DNS Client queries a host name on the Internet from the specified DNS server. When the DNS server cannot find the name specified by the user in the data record, it will switch to the cache area of the server to check whether the data exists. When the cache area cannot be found, it will ask the nearest name server for help in searching for the IP address of the name, the query results of the same action are also displayed on the other server. When the query results are found, the server that originally requested the query will be returned. After receiving the query results from the other DNS server, first, record the Host Name and corresponding IP address to the cache, and then return the query result to the client.

 

Common DNS attacks include:

1) Domain Name Hijacking

Hackers control the domain name management password and domain name management mailbox, and then direct the NS record of the domain name to the DNS server that hackers can control, then, by adding a domain name record to the DNS server, the user can access the content that the hacker points to when accessing the domain name.

This is clearly the responsibility of the DNS service provider, and users are helpless.

2) Cache Poisoning

By using the DNS Cache Server, users who are originally planning to access a website are taken to other websites that hackers point to without knowing it. There are multiple implementation methods. For example, attackers can exploit the DNS Cache Server vulnerability on the internet ISP side to attack or control the attack, so as to change the response results of the user's access to the domain name in the ISP; or, hackers exploit vulnerabilities on users' authoritative domain name servers. For example, when a user's authoritative Domain Name Server can be used as a cache server at the same time, hackers can cache and inject Wrong domain name records into the cache, in this way, all users who use the Cache Server receive the wrong DNS resolution result.

This method is a major DNS defect recently discovered. This is just a "Major" defect. It is reported that it is caused by the design and implementation of the Protocol itself. Almost all DNS software has such problems.

3) DDOS attacks

One attack is targeted at the DNS server software, and usually uses vulnerabilities in the BIND software program to cause the DNS server to crash or refuse services. The other attack is not targeted at the DNS server, instead, the DNS server is used as the "attack amplifier" in the middle to attack other hosts on the internet, resulting in DoS attacks.

4) DNS Spoofing

DNS Spoofing is a spoofing behavior by attackers impersonating domain name servers.

Principle: If you can impersonate a Domain Name Server and set the queried IP address as the attacker's IP address, you can only view the attacker's homepage on the Internet, instead of the website you want to obtain, this is the basic principle of DNS spoofing. In fact, DNS Spoofing does not actually "black out" the website of the other party. Instead, it is a fake name or a scam.

Most of the existing DNS servers on the Internet are set up using bind. The bind version is mainly earlier than bind 4.9.5 + P1 and bind 8.2.2-P5. these binds share a common feature, that is, they Cache all the results that have been queried. This problem causes the following problems.

DNS Spoofing

Before the DNS Cache expires, if a record already exists in the DNS cache, the DNS server will directly return the record in the cache once a customer queries it.

Preventive Measures to Prevent DNS attacks

DNS amplification attacks on the Internet is growing rapidly. This attack is a large variety of data packets that can generate a large number of fake communications for a target. How many fake communications are there? Several gigabytes per second, enough to prevent anyone from accessing the Internet.

Similar to the old-fashioned "smurf attacks" attack, DNS amplification attacks use fraudulent data packets targeting innocent third parties to enlarge the communication volume, in order to exhaust all the victim's bandwidth. However, the "smurf attacks" attack sends data packets to a network broadcast address to enlarge the communication. DNS amplification attacks do not include broadcast addresses. On the contrary, such attacks send small and fraudulent inquiry information to a series of innocent third-party DNS servers on the Internet. These DNS servers will then send a large number of replies to the server on the surface, resulting in a larger volume of communication and eventually flooding the attack target. Because DNS is based on stateless UDP packets, it is common to adopt this spoofing method.

This attack mainly relies on a query of about 60 bytes for DNS, and the reply speed can be up to 512 bytes, thus increasing the communication volume by 8.5 times. This is good for attackers, but it still does not reach the level that attackers want to be overwhelmed. Recently, attackers have used some newer technologies to increase the current DNS amplification attacks by several times.

Currently, many DNS servers support EDNS. EDNS is an extended DNS mechanism, which is introduced in RFC 2671. Some options allow the DNS to reply to more than 512 bytes and still use UDP, if the requestor points that it can handle such a large DNS query. Attackers have used this method to produce a large amount of communication. By sending a query of 60 bytes to obtain a record of about 4000 bytes, attackers can increase the communication volume by 66 times. Some of these attacks have produced a lot of traffic per second, and even more than 10 GB of traffic per second.

To implement such an attack, the attacker first needs to find several third-party DNS servers (most DNS servers have such settings) that represent someone on the Internet performing cyclic queries ). Because circular query is supported, attackers can send a query to a DNS server, which then sends the query (in a circular manner) to a DNS server selected by the attacker. Next, attackers send a DNS record query to these servers, which is controlled by attackers on their own DNS servers. Because these servers are set to loop queries, these third-party servers send these requests back to attackers. The attacker stored a 4000-byte text on the DNS server for this DNS amplification attack.

Now, because the attacker has added a large number of records to the cache of a third-party DNS server, the attacker then sends DNS query information to these servers (with the EDNS option to enable a large number of replies ), in addition, the DNS server uses spoofing methods to make the DNS server think that the query information is sent from the IP address that the attacker wants to attack. These third-party DNS servers use the 4000-byte text record to reply, and flood victims with a large number of UDP packets. Attackers send millions of small and fraudulent queries to third-party DNS servers, which will flood the victim with a large number of DNS response packets.

How can we defend against such large-scale attacks? First, make sure you have enough bandwidth to withstand small-scale flood attacks. A single T1 line is not enough for important Internet connections, because any malicious script teenagers can consume your bandwidth. If your connection is not an important task, a T1 line is enough. Otherwise, you need more bandwidth to withstand small-scale flood attacks. However, almost no one can bear the DNS amplification attack of several gigabytes per second.

Therefore, make sure that you have an emergency phone number at hand that can be contacted with your ISP at any time. In this way, you can immediately contact the ISP to filter out the attack in the upstream. To identify this attack, you need to view a large number of communications containing DNS replies (source UDP port 53), especially those ports with a large number of DNS records. Some ISPs have deployed sensors on their entire network to detect various types of early communication. In this way, your ISP may find and avoid such attacks before you discover such attacks. Ask if your ISP has this capability.

Finally, to help prevent malicious users from using your DNS server as a proxy for this DNS amplification attack, make sure that your DNS server that can be accessed from outside executes loop queries for your own network and does not perform such queries for any Internet address. Most major DNS servers have the ability to restrict loop queries. Therefore, they only accept queries from certain networks, such as your own network. By blocking the use of cyclic queries to load large and harmful DNS records, you can prevent your DNS server from becoming part of this issue.

Conclusion: network attacks are becoming increasingly rampant, posing a great threat to network security. Attackers can defend against any malicious attacks. They only need to understand their attack methods and have a wealth of network knowledge, so they can defend against the crazy attacks of hackers. Some new network users do not have to worry, because many network security solutions and various firewalls have been launched on the market. I believe that in the near future, the Network must be a secure information transmission media. In particular, network security education should be put at the top of the entire security system at all times, and efforts should be made to improve the security awareness and basic prevention technologies of all network users. This is of great significance for improving the security of the entire network.